Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
649 views
in Technique[技术] by (71.8m points)

proxy - Why is CNTLM asking for password?

I have configured CNTLM Proxy Authorization on Windows with configuration file looking like,

Auth            NTLM
PassNT          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassLM          YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
PassNTLMv2      ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

Proxy           proxy.xxxx.com:8080

Listen          3130

And I use localhost:3130 as proxy in LAN Settings, hit any URL on browser and it is asking for the password again!. If I enter the same password with which I generated the hash, it works. Simply the purpose of Cntlm is beaten. Has anybody faced this? How does this work? Is there any way to get around this problem?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

<EDIT> If you are using Windows then I strongly recommend px over Cntlm since it doesn't need any handsake mechanism.

Notes on px:

It is primarily designed to run on Windows systems and authenticates on behalf of the application using the currently logged in Windows user account

</EDIT>

1) Install CNTLM to default directory (on Windows, C:Program Files (x86)cntlm ).

2) Run cmd.exe

3) Type : cd "C:Program Files (x86)cntlm"

4) Type : cntlm.exe -H -d your_domain -u your_username

It will ask your password. Enter your password and cntlm will give you some hashes. Something like this:

c:Program Files (x86)Cntlm>cntlm -H -d your_domain -u your_username
Password:
PassLM          4E9C185900C7CF0B6FFCB2044F81920C
PassNT          6E9F120B83EEA0E875CE8E6F9730EC9A
PassNTLMv2      2A0B7C2457FB7DD8DA4EB737C4FA224F  

Now you have password hashed. Save them to a text editor.

5) Type : cntlm -M http://www.google.com

Again enter your password. It will give you something like this:

c:Program Files (x86)Cntlm>cntlm -M http://www.google.com
Password:
Config profile  1/4... Credentials rejected
Config profile  2/4... OK (HTTP code: 302)
----------------------------[ Profile  1 ]------
Auth            NTLM
PassNT          6E9F120B83EEA0E875CE8E6F9730EC9A
PassLM          4E9C185900C7CF0B6FFCB2044F81920C
------------------------------------------------

Now you see that profile 2 is successful. Because it says OK for profile 2. It may be different on your system.

The trick is,

  • if the Auth is NT, then you must use only PassNT
  • if the Auth is LM, then you must use only PassLM
  • if the Auth is NTLM, then you must use both PassNT and PassLM
  • if the Auth is NTLMv2, then you must use only PassNTLMv2

Now we got all we want. For my configuration, Auth says NTLM so I will use both PassNT and PassLM in the cntlm.ini configuration file.

This is an example configuration file NTLM (not NTLMv2!):

#
# Cntlm Authentication Proxy Configuration File
#

Username yourusername
Domain yourdomain

Auth NTLM
PassNT 6E9F120B83EEA0E875CE8E6F9730EC9A
PassLM 4E9C185900C7CF0B6FFCB2044F81920C

Workstation yourhostname.yourdomain

# Most probably proxy.yourdomain:8080
Proxy  yourProxyIP:yourProxyPort

NoProxy  localhost, 127.0.0.*, 10.*, 192.168.*

Listen  3132

Gateway yes
# end of config

6) To test your configuration, type: cntlm -c cntlm.ini -I -M http://www.google.com

7) To start cntlm, type: net start cntlm

Now you can use your computer's IP address and port 3132 as a proxy.


You can get the latest Cntlm binaries here: http://cntlm.sourceforge.net/


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...